Skip to content
This repository has been archived by the owner on Aug 16, 2024. It is now read-only.

INT-5777 - Ingest findings and account #34

Merged
merged 2 commits into from
Jan 25, 2023
Merged

INT-5777 - Ingest findings and account #34

merged 2 commits into from
Jan 25, 2023

Conversation

eXtremeX
Copy link
Contributor

Added

  • Updated SDK versions to v8

  • Entities:

    Resources Entity _type Entity _class
    Account sonarqube_account Account
    Finding sonarqube_finding Finding

  • Relationships:

    Source Entity _type Relationship _class Target Entity _type
    sonarqube_account HAS sonarqube_project
    sonarqube_account HAS sonarqube_user
    sonarqube_account HAS sonarqube_user_group
    sonarqube_project HAS sonarqube_finding

@eXtremeX eXtremeX requested a review from a team as a code owner December 21, 2022 04:25
@VDubber VDubber self-assigned this Jan 4, 2023
VDubber
VDubber reviewed Jan 4, 2023
View reviewed changes
src/steps/account/converter.ts Outdated
return createIntegrationEntity({
entityData: {
source: {
id,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's just add the name since the id (and the name) are already on the entities.

VDubber
VDubber reviewed Jan 4, 2023
View reviewed changes
src/provider/SonarqubeClient.ts
params?: NodeJS.Dict<string | string[]>,
): Promise<void> {
return this.iterateResources<'issues', SonarqubeFinding>(
'/issues/search',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this endpoint considered: api/projects/export_findings
https://next.sonarqube.com/sonarqube/web_api/api/projects/export_findings

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This endpoint was initially part of the request in the ticket so we just followed that.

From your suggestion, I went ahead and looked into it and it seems like this is also the endpoint that SonarQube's UI queries when we go to the Issues page. There might be an advantage there since there is consistency in the data between the UI and our integrations.

This /export_findings endpoint's advantage seems like it also includes what SonarQube calls 'hotspots'. Hotspots are not a vulnerability per se, unlike Issues, but they can also be under certain circumstances.

We can definitely use it for this though. What do you think?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's get a bit of data and then we can make a better call. Thanks for the details here!

VDubber
VDubber reviewed Jan 4, 2023
View reviewed changes
src/steps/user-group/index.ts Outdated
await client.iterateUserGroups((userGroup) => {
convertedUserGroups.push(createUserGroupEntity(userGroup));
const userGroupEntity = createUserGroupEntity(userGroup);
convertedUserGroups.push(userGroupEntity);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: add directly to jobState

VDubber
VDubber previously approved these changes Jan 4, 2023
View reviewed changes
Copy link
Contributor

@VDubber VDubber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great. Added a few comments.
Do we know what volume of data we are dealing with here?
Approving, please msg me for follow reviews/approvals.

@socket-security
Copy link

socket-security bot commented Jan 24, 2023
edited
Loading

Socket Security Pull Request Report

👍 No new dependency issues detected in pull request

Pull request report summary
Issue Status
Critical CVE ✅ 0 issues
Install scripts ✅ 0 issues
Native code ✅ 0 issues
Bin script confusion ✅ 0 issues
Bin script shell injection ✅ 0 issues
Unresolved require ✅ 0 issues
Invalid package.json ✅ 0 issues
HTTP dependency ✅ 0 issues
Git dependency ✅ 0 issues
Unsafe copyright ✅ 0 issues
License change ✅ 0 issues
Missing license ✅ 0 issues
Mixed license ✅ 0 issues
License exception ✅ 0 issues
Potential typo squat ✅ 0 issues
Known Malware ✅ 0 issues
Telemetry ✅ 0 issues
Protestware/Troll package ✅ 0 issues
AI detected malware ✅ 0 issues
Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] [email protected]

Ignoring: [email protected]

Powered by socket.dev

@RPGPH
Copy link
Contributor

RPGPH commented Jan 24, 2023

Do we know what volume of data we are dealing with here?

I just used a single project for my test data but I think it would be similar to other repo scanning services out there.

@VDubber
Copy link
Contributor

VDubber commented Jan 24, 2023

@SocketSecurity ignore [email protected]

@QueenOvGraphs QueenOvGraphs requested review from RPGPH and removed request for RPGPH January 25, 2023 20:59
@MadOx710 MadOx710 merged commit 6237a99 into JupiterOne-Archives:main Jan 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@RPGPH RPGPH RPGPH left review comments

@VDubber VDubber VDubber approved these changes

@QueenOvGraphs QueenOvGraphs QueenOvGraphs approved these changes

Assignees

@VDubber VDubber

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@eXtremeX @RPGPH @VDubber @QueenOvGraphs @MadOx710